RE: store passwords securely

From: Thornton, John (john.thornton@attws.com)
Date: 04/10/02


From: "Thornton, John" <john.thornton@attws.com>
To: "'Williams, Larry'" <Larry.Williams@fiserv.com>, "'Wooi Koay'" <wooik@halfmind.com>, security-basics@securityfocus.com
Date: Wed, 10 Apr 2002 11:24:59 -0700

Another issue that needs to be considered is that the web page needs to be
displayed securely (https). If blackberry does not support https, then the
back-end security measures are useless.

-----Original Message-----
From: Williams, Larry [mailto:Larry.Williams@fiserv.com]
Sent: Wednesday, April 10, 2002 8:37 AM
To: 'Wooi Koay'; security-basics@securityfocus.com
Subject: RE: store passwords securely

I have no idea how to design such a beast, but I would put the passwords in
a db server. I would put it behind an auth server. The auth server takes
the password from the web server/script, encrypts it, and sends it to the db
server. The db server first ensures that the auth server is the one making
the request (using rDNS or whatever favorite method you have), then compares
the password sent to the password on file (doing whatever encrypt/decrypt
you desire). The db server sends back either a yes or no to the auth
server, which forwards to the web server/script.

-----Original Message-----
From: Wooi Koay
Sent: Tuesday, April 09, 2002 09:46
To: security-basics@securityfocus.com
Subject: store passwords securely

Hi,

I would like to write a web app that stores a list of passwords securely.
The reason why it has to be a web app is because I want to access the site
using blackberry (rim handheld).

My idea is to decrypt the password list using a public key, and when a
valid user logs in, the password list are decrypted using the user's
private key. If another user accidentally access the password list of
different people, he still can't read the password list because he doesn't
have the matched private key. The problem that I can see is that the
webserver somehow need to have access to the public/private key pair. If
the webserver is compromised, the passwords could potentially be read. Any
thought on that?

TIA, wooi.



Relevant Pages

  • Re: TIPS FOR THE NEWCOMER
    ... As long as the private key is readable by the ssh client when it comes ... When the ssh client connects to the server, ... private key which matches the public key. ...
    (SSH)
  • Re: SSL certificates and keys
    ... Is the server's public key contained in the ... Or it's only the ciphersuite that client and server ... and the certificate is used only for server ...
    (sci.crypt)
  • Cryptography and Site Security: Please critique my security idea
    ... get direct access to the server whether ... The public key for each user's private key is stored on an internal ... upload the public keys in to applciation memory. ... this now decrypted key "A" will be used to decrypt the ...
    (sci.crypt)
  • Re: Debian SSH server configuration
    ... I would like to configure a Debian server to only allow clients to ssh ... I don't want any client computers to be able to ssh into ... It sounds like what you are asking for is host based authentication, ... where the server check to make sure that it has the host public key ...
    (Debian-User)
  • Re: Security - ciphers - autentification
    ... is a web server on the firewall or on a trusted, ... firewall. ... > throw filrewall (and process 'real' autentification). ... Communication with services is done by public key ...
    (SecProg)